BitLocker To Go policies prevent BitLocker from being enabled
Hello, In our domain we are testing BitLocker To Go (BLTG) policies in conjunction with BitLocker on Windows 7 client machines. Here is what we have found: 1. Company paper policy requires BitLocker on the OS drive. 2. Active Directory domain policies are in place to require BLTG on fixed drives and removable drives. The policies are set to include fixed drives because many of our users have eSATA drives, which, although not officially supported by BLTG, are nonetheless covered by the fixed disk policy settings and not the removable disk policy settings. 3. User joins a new computer to the domain. This computer has a single hard drive installed. 4. The computer inherits the BLTG policies. 5. The user tries to enable BitLocker on the OS volume (which resides on the computer’s hard drive). 6. The BitLocker setup wizard creates the necessary 300 MB system partition on the hard drive and tries to format it. 7. BLTG policies kick in and state that the new partition (which is now considered a fixed disk volume) cannot be formatted unless it is first encrypted. This is a problem because encrypting the new partition with BLTG will prevent it from being readable preboot, when BitLocker is attempting to read the keys to unlock the drive for the boot process. Therefore, BLTG policies prevent BitLocker from being enabled. If we have users enable BitLocker prior to joining the domain, then they don’t have their recovery information backed up to AD. So, the only workaround I can see for this is that we will have to keep the BLTG policies in a GPO that’s filtered by a separate group and not roll the policies into a non-filtered domain-linked GPO. Then we’ll have to add computers to that group once BL is enabled on the OS drive and the recovery info is backed up to AD. Is this expected behavior? Will it be changed in the future? Thank you.
April 10th, 2010 3:03am

I am experiencing the same issue. Anyone have a workaround?
Free Windows Admin Tool Kit Click here and download it now
April 24th, 2010 12:23am

Hi kbraz, Sorry for the delay in replying. We have a couple of workarounds for this, and both involve the creation of a separate BLTG GPO. In one workaround, we will have a separate BLTG GPO with a WMI filter that checks to see if BL has been enabled. If so, BLTG policies will be applied. If not, the policies will not be applied. The only downside to this approach is that a user could effectively avoid getting BLTG policies indefinitely if they don't enable BL, as there is no Group Policy mechanism to force users to turn on BL. The other workaround is to create BLTG GPO which is filtered by group membership. Then we will create a script that mines AD to determine if BitLocker has been enabled on a given computer or not. If so, the script will add the computer to the BLTG GPO group. If not, the script will wait a week for the user to enable BL, and will then move the computer to the BLTG group anyway. In this way, a user cannot avoid having BLTG policies applied simply by not enabling BL. Also, the time delay allows us to manually remove computers from the BLTG group for whatever reasons, but with the understanding that the user has one week at most before the policies will be automatically reapplied. Justin
April 30th, 2010 7:39pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics